Question about `Kryo.registrationRequired` being enabled by default

[JLLeitschuh]

I'm a security researcher doing some historical digging and trying to figure out when Kryo.registrationRequired was set as true by default. Do you know if a CVE was ever issued when this became the default behaviour? I'm wondering because it would be good to encourage end users to upgrade beyond this version. The best way to do this can be by issuing a CVE number.

[theigl]

See #398. The change is present in all released versions of 5.x.

There was no CVE issued because this was simply deemed a sensible change to a default value.

[JLLeitschuh]

Much appreciated. As this is a serious security improvement, do you mind if I work with a CNA to issue a CVE number for all versions of Kryo prior to 5.0.0 to make sure your end users are aware of this important security improvement and that they should update?

[theigl]

There is no need to upgrade if you are on an older version of Kryo. Users can simply set setRegistrationRequired(true) on older versions. And a lot of users will already have set it, because registering classes upfront is faster.

Since Kryo is not backwards-compatible between major versions, upgrading Kryo to 5.x can be a lot of work if you have persistent data. Existing data has to be read with the older version and written with the newer version. It doesn't make sense to force/urge users to go through this, just because of a change to a default value that they can already set themselves in their current version.